Malware Can Steal Data From Air-Gapped Devices via Fans

Acoustic data exfiltration is possible from air-gapped computers even if they don’t have any speakers. Researchers have demonstrated that data can be stolen using fans and a mobile phone placed in the vicinity of the targeted machine.

Over the past years, experts have come up with several methods for silently exfiltrating data from isolated devices using optic, thermal, electromagnetic and acoustic covert channels. Since researchers demonstrated several years ago that data can be stolen using a computer’s internal or external speakers, many organizations have banned these components from air-gapped devices for security reasons.

Researchers from Ben-Gurion University of the Negev have discovered a new acoustic data exfiltration method that doesn’t rely on speakers. The method, dubbed Fansmitter, leverages the noise emitted by a computer’s fans to transmit data.

A piece of malware installed on the targeted air-gapped computer can use the device’s fans to send bits of data to a nearby mobile phone or a different computer equipped with a microphone. Several types of fans can be used for the task, but CPU and chassis fans are the perfect target because they can be monitored and controlled using widely available software.

According to experts, the frequency and the strength of the acoustic noise emitted by fans depends on revolutions per minute (RPM). Attackers can control the fan to rotate at a certain speed to transmit a “0” bit and a different speed to transmit a “1” bit.

The noise is in the 100-600 Hz range, which can be detected by the human ear, but experts pointed out that attackers could use several methods to avoid raising suspicion. For instance, they can program the malware to transmit data during hours when no one is in the room (e.g. at night). They can also use low or close frequencies, which are less noticeable.

Researchers have conducted experiments using a regular Dell desktop computer with CPU and chassis fans, and a Samsung Galaxy S4 smartphone with a standard microphone to capture the exfiltrated data. The testing environment was a computer lab with several other workstations, switches and an air conditioning system – all of which produced background noise.

The experiment has shown that attackers can transmit 3 bits per minute using low frequencies (1000 RPM for “0” and 1600 RPM for “1”) over a distance of one meter. This means that it would take roughly three minutes to transmit 1 byte of data (e.g. one character of a password).

The transfer rate is much better at higher frequencies. For instance, at 4000 – 4250 RPM, experts transferred 15 bits per minute over a one-meter distance. At 2000-2500 RPM, they obtained 10 bits per minute over a four-meter distance, and the same transfer rate can also be obtained over a distance of eight meters if the frequency is increased.

“Using Fansmitter attackers can successfully exfiltrate passwords and encryption keys from a speakerless air-gapped computer to a mobile phone in the same room from various distances,” researchers wrote in their paper. “Beyond desktop computers, our method is applicable to other kinds of audioless devices, equipped with cooling fans (various types and sizes of fans) such as printers, control systems, embedded devices, IoT devices, and more.”